ADP Data Breach Notice

Automatic Data Processing, Inc., commonly known as ADP confirms consumers data breach by issue an official notice about unauthorized access to customer’s accounts between January 24, 2020 and February 11, 2020.

Based on investigation, intruder(s) used consumers logins and passwords.

Information about your legal name, date of birth and SIN might have been exposed.

As you can see in the notice, personal credit monitoring, identity restoration and theft insurance offered for free. Looks like this is another (after CapitalOne breach) use case, when it is publicly offered to do someone’s job. Despite the fact that you and your employers shared your private and personal data, you and only you are responsible for any effects.

Earlier, independent agencies admitted material negative changes with network security and IP reputation controls. Multiple misconfigurations, related to SSL/TLS, DNS and internal databases were also detected through the publicly faced interfaces. Infected by malware hosts were active on March 4, 2020. Multiple web-servers still use expired or self-signed certificates.

There is also interesting fact regarding ADP security compliance status. Based on official web-site, ADP is SOC-1/2 and ISO 27001:2013 certified. SOC-2 is more technical standard against management ones SOC-1 and ISO 27001:2013. Looks like ADP follows management based requirements. But the scope is a key parameter. You can put in scope as one fully patched server, as all your environment, and certificate will be the same document. All details can be found in the attestation reports only, this is how this certification system works. That’s why it’s extremely interesting to find out investigation results and SOC-2 assessor name. You may want to ask this details, but in case of ADP “mission impossible”. Even if you are a client and have NDA signed, it’s not available for you. So this is a natural question whether ADP is really certified. And if we have serious breach reasons, I would think twice before employment of such security assessor.

soc notice

Conspiracy theory enthusiasts are also advised to read China’s TikTok Lures ADP Security Chief to Become New CISO

There are also “good” news for those, who think that they won’t have security related problems, because they have Crowdstrike Falcon deployed and they don’t need anything else – ADP has Falcon deployed either.

ADP Canada didn’t release any official statements yet. So this is yet another question whether this data breach affected Canadian ADP customers.

Stay tuned

Looking forward for other details

ADP security score over time


adp data breach notice

Added later…

Something tells me, we won’t know details. It was another breach 9 years ago, nothing disclosed yet.